Security researchers have discovered a new variant of mobile malware named Agent Smith which has already infected around 25 million Android devices.
Disguising as a google related application the malware exploits known vulnerabilities in Android and automatically replaces installed application with malicious versions.
The malware was discovered by security researchers at Check Point and is designed for financial gain by showing fraudulent ads to the victims.
Three Phases of Malware Infection
In the first phase, the attacker lures the users to download a dropper application disguised as free games, utility applications or adult entertainment applications.
The initial dropper has a weaponized Feng Shui Bundle as encrypted asset files.
In the second phase, the dropper automatically decrypts and installs its core malware by abusing several known system vulnerabilities without any user interaction.
In the third phase, the core malware starts to target each application on the target list by quietly extracting the application APK file and patches it with extra malicious modules.
Then the malware replaces the original application with the malicious one as if it is an update.
According to researchers, users were lured to download the Agent Smith malware from a widely used third-party app store called 9Apps, a UC team backed store which targets mostly Indian (Hindi), Arabic, Russian, Indonesian speaking users.
The malware has a modular structure consisting of the following module:
According to the analysis, it is estimated to be over 2.8 billion infections, on around 25 million unique devices.
The campaign was observed primarily targeting Android Indian users with 59% infection rate and other Asian countries such as Pakistan, Bangladesh, Indonesia, and Nepal.
The malware has also infected some amount of devices in the US (300,000 devices), over Saudi Arabia (245,000 devices ), Australia (141,000 devices) and s UK (137,000 devices).
Researchers also noted that they discovered 11 application in Google Play Store containing malicious yet dormant Agent Smith components.
“With such a devious infection method of replacing existing device apps with the malicious version of those apps, users are reminded that apps should only be downloaded from trusted app stores to mitigate the risk of infection.”
For more details, you can visit the analysis report published by Check Point researchers here.
You may be interested in reading: New Ransomware named eCh0raix Targets QNAP NAS Devices